From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: ARC-Seal: i=1; a=rsa-sha256; t=1516804842; cv=none; d=google.com; s=arc-20160816; b=p7IzNts212KlvwxGnAysYXJ2/AVTZxysR5xE5wwhtUQnVHL2Xeoq4cDq7dyYPg3y4W rYu+ehC3Lw4iSrhx2RTyOflrPGlcAUgWYLKwfBfhmbnMFiKyWKKJfgFZjwsJD8cwbs0f q3RO5hLRd0WmidOLdG6DENZn8r/cmtMP7pLHxgW5t8IafiFvZHyZhtV5eIbdxus1NpLC +D6yq24/21L7tVlK6ai01t5Hf0BfxOqheX4fGC1Oj9aFa0SyUNU1oOHKI+vWSjaVexM8 AG/Fl8Aybo7aZV2mrxerRVAYP98D9DC/4iCpUQ8UVWuuf8rOkNVmcFyDm4lfeMcsC/nU abHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject :arc-authentication-results; bh=LqI0rr8xDsuzkz6b8WjbhgSAsrHLHJ2Bnx9EWqbtuWg=; b=ZbsP5yO2XiABAXVt/5elyEzNvSgrGyFzFnT771Y9kSd6dm1Z5i9odbRQ5FXv7qmCpd 47Wop+A87ZeZJrgBsbjoH6/I1K1MM6Y8p0QLaO0z/1m9IYVMiEsgHhZnP++6eKJ0SKxJ QpZonzXQrKJh8rbBiUGLUH1LctH1yzo3rVWs1/PDT8ZyGYoFiXhCCDkzaN2/BIFFgsMo Icu/P5TJtXagdviVwfyIqgUMvDrYwoslCju0v7W9yo8Ow4r2UoxGPBB+DytKRqeSP2gc R9uknogwaZccLBYA1pxMjbsGfOmsKyG2EtLAYriotmVgLH22tpis8Y/9jz+lYeP0o24U 4U8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of jirislaby@gmail.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=jirislaby@gmail.com Authentication-Results: mx.google.com; spf=pass (google.com: domain of jirislaby@gmail.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=jirislaby@gmail.com X-Google-Smtp-Source: AH8x224+f35qO+EhIv5264kLERgZHOw18AP0N3fjCkUl1+74B2wjhMNpLPjQqpbt10UpNhgx8mJcqw== Subject: Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation To: Dan Williams , linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, gregkh@linuxfoundation.org, x86@kernel.org, Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@linux.intel.com References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> From: Jiri Slaby Message-ID: Date: Wed, 24 Jan 2018 15:40:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1589977480308913684?= X-GMAIL-MSGID: =?utf-8?q?1590485154820084567?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On 01/19/2018, 01:02 AM, Dan Williams wrote: > The syscall table base is a user controlled function pointer in kernel > space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds > speculation. While retpoline prevents speculating into the user > controlled target it does not stop the pointer de-reference, the concern > is leaking memory relative to the syscall table base. > > Reported-by: Linus Torvalds > Cc: Thomas Gleixner > Cc: Ingo Molnar > Cc: "H. Peter Anvin" > Cc: x86@kernel.org > Cc: Andy Lutomirski > Signed-off-by: Dan Williams > --- > arch/x86/entry/entry_64.S | 2 ++ > arch/x86/include/asm/smap.h | 9 ++++++++- > 2 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S > index 4f8e1d35a97c..2320017077d4 100644 > --- a/arch/x86/entry/entry_64.S > +++ b/arch/x86/entry/entry_64.S > @@ -35,6 +35,7 @@ > #include > #include > #include > +#include This is already included 2 lines above thanks, -- js suse labs From mboxrd@z Thu Jan 1 00:00:00 1970 References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> From: Jiri Slaby Message-ID: Date: Wed, 24 Jan 2018 15:40:40 +0100 MIME-Version: 1.0 In-Reply-To: <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation To: Dan Williams , linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, gregkh@linuxfoundation.org, x86@kernel.org, Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@linux.intel.com List-ID: On 01/19/2018, 01:02 AM, Dan Williams wrote: > The syscall table base is a user controlled function pointer in kernel > space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds > speculation. While retpoline prevents speculating into the user > controlled target it does not stop the pointer de-reference, the concern > is leaking memory relative to the syscall table base. > > Reported-by: Linus Torvalds > Cc: Thomas Gleixner > Cc: Ingo Molnar > Cc: "H. Peter Anvin" > Cc: x86@kernel.org > Cc: Andy Lutomirski > Signed-off-by: Dan Williams > --- > arch/x86/entry/entry_64.S | 2 ++ > arch/x86/include/asm/smap.h | 9 ++++++++- > 2 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S > index 4f8e1d35a97c..2320017077d4 100644 > --- a/arch/x86/entry/entry_64.S > +++ b/arch/x86/entry/entry_64.S > @@ -35,6 +35,7 @@ > #include > #include > #include > +#include This is already included 2 lines above thanks, -- js suse labs